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Abstract 

The relationship between BQP and PH has been an open problem since the earliest days 
of quantum computing. We present evidence that quantum computers can solve problems 
outside the entire polynomial hierarchy, by relating this question to topics in circuit complexity, 
pseudorandomness, and Fourier analysis. 

First, we show that there exists an oracle relation problem (i.e., a problem with many valid 
outputs) that is solvable in BQP, but not in PH. This also yields a non-oracle relation problem 
that is solvable in quantum logarithmic time, but not in AC . 

Second, we show that an oracle decision problem separating BQP from PH would follow 
from the Generalized Linial-Nisan Conjecture, which we formulate here and which is likely of 
independent interest. The original Linial-Nisan Conjecture (about pseudorandomness against 
constant-depth circuits) was recently proved by Braverman, after being open for twenty years. 
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Introduction 





A central task of quantum computing theory is to understand how BQP — meaning Bounded-Error 
Quantum Polynomial-Time, the class of all problems feasible for a quantum computer — fits in with 
classical complexity classes. In their original 1993 paper defining BQP, Bernstein and Vazirani 
P3] showed that BPP C BQP C P #p Informally, this says that quantum computers are at 
least as fast as classical probabilistic computers and no more than exponentially faster (indeed, 
they can be simulated using an oracle for counting). Bernstein and Vazirani also gave evidence 
that BPP / BQP, by exhibiting an oracle problem called Recursive Fourier Sampling that 
requires n^( logn ) queries on a classical computer but only n queries on a quantum computer H The 
evidence for the power of quantum computers became dramatically stronger a year later, when Shor 
[33] (building on work of Simon [M]) showed that Factoring and Discrete Logarithm are in 
BQP. On the other hand, Bennett et al. [9] gave oracle evidence that NP <f_ BQP, and while no 
one regards such evidence as decisive, today it seems extremely unlikely that quantum computers 
can solve NP-complete problems in polynomial time. A vast body of research, continuing to the 
present, has sought to map out the detailed boundary between those NP problems that are feasible 
for quantum computers and those that are not. 

However, there is a complementary question that — despite being universally recognized as one 
of the "grand challenges" of the field — has had essentially zero progress over the last sixteen years: 

Is BQP in NP? More generally, is BQP contained anywhere in the polynomial hierar- 
chy PH = NP U NP NP U NP NpNP U • • • ? 

The "default" conjecture is presumably BQP <f_ PH, since no one knows what a simulation 
of BQP in PH would look like. Before this work, however, there was no formal evidence for 
or against that conjecture. Almost all the problems for which we have quantum algorithms — 
including Factoring and Discrete Logarithm — are easily seen to be in NP n coNPjl One 
notable exception is Recursive Fourier Sampling, the problem that Bernstein and Vazirani 
|llj originally used to construct an oracle A relative to which BPP" 4 ^ BQP" 4 . One can show, 
without too much difficulty, that Recursive Fourier Sampling yields oracles A relative to 
which BQP 71 ^ NP" 4 and indeed BQP" 4 MA" 4 . However, while it is reasonable to conjecture 
that Recursive Fourier Sampling (as an oracle problem) is not in PH, it is open even to show 
that this problem (or any other BQP oracle problem) is not in AM! Recall that AM = NP under 

x The upper bound was later improved to BQP C PP by Adleman, DeMarrais, and Huang [3]. 
2 For more about Recursive Fourier Sampling see Aaronson [2]. 

3 Here we exclude BQP-complete problems such as approximating the Jones polynomial ,5 , which, by the very 
fact of being BQP-complete, seem hard to interpret as "evidence" for BQP <£_ PH. 
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plausible derandomization assumptions [26]. Thus, until we solve the problem of constructing an 
oracle A such that BQP" 4 AM A , we cannot even claim to have oracle evidence (which is itself, of 
course, a weak form of evidence) that BQP <f_ NP. 

Before going further, we should clarify that there are two questions here: whether BQP C PH 
and whether PromiseBQP C PromisePH. In the unrelativized world, it is entirely possible that 
quantum computers can solve promise problems outside the polynomial hierarchy, but that all 
languages in BQP are nevertheless in PH. However, for the specific purpose of constructing an 
oracle A such that BQP" 4 <£. PH A , the two questions are equivalent, basically because one can always 
"offload" a promise into the construction of the oracle ^4o 



1.1 Motivation 

There are at least four reasons why the BQP versus PH question is so interesting. At a basic 
level, it is both theoretically and practically important to understand what classical resources are 
needed to simulate quantum physics. For example, when a quantum system evolves to a given 
state, is there always a short classical proof that it does so? Can one estimate quantum amplitudes 
using approximate counting (which would imply BQPCBPP NP )? If something like this were true, 
then while the exponential speedup of Shor's factoring algorithm might stand, quantum computing 
would nevertheless seem much less different from classical computing than previously thought. 

Second, if BQP <f_ PH, then many possibilities for new quantum algorithms might open up to 
us. One often hears the complaint that there are too few quantum algorithms, or that progress on 
quantum algorithms has slowed since the mid-1990s. In our opinion, the real issue here has nothing 
to do with quantum computing, and is simply that there are too few natural N P-intermediate 
problems for which there plausibly could be quantum algorithms! In other words, instead of 
focussing on Graph Isomorphism and a small number of other N P-intermediate problems, it 
might be fruitful to look for quantum algorithms solving completely different types of problems — 
problems that are not necessarily even in PH. In this paper, we will see a new example of such a 
quantum algorithm, which solves a problem called Fourier Checking. 

Third, it is natural to ask whether the P = BQP question is related to that other fundamental 

? 

question of complexity theory, P = NP. More concretely, is it possible that quantum computers 
could provide exponential speedups even if P = NP? If BQP C PH, then certainly the answer to 
that question is no (since P = NP ==> P = PH). Therefore, if we want evidence that quantum 
computing could survive a collapse of P and NP, we must also seek evidence that BQP <f_ PH. 

Fourth, a major challenge for quantum computing research is to get better evidence that quantum 
computers cannot solve HP-complete problems in polynomial time. As an example, could we show 
that if NP C BQP, then the polynomial hierarchy collapses? At first glance, this seems like a wild 
hope; certainly we have no idea at present how to prove anything of the kind. However, notice 

4 Here is a simple proof: let II = (IIyes, IIno) be a promise problem in PromiseBQP" 4 \ PromisePH A , for some 
oracle A. Then clearly, every PromisePH A machine M fails to solve II on infinitely many inputs x in IIyes U IIno- 
This means that we can produce an infinite sequence of inputs xi,X2,--- in IIyes U IIno, whose lengths 711,712,. .. 
are spaced arbitrarily far apart, such that every PromisePH A machine M fails to solve II on at least one Xi. Now 
let B be an oracle that is identical to A, except that for each input length n, it reveals (i) whether n = m for some 
i and (ii) if so, what the corresponding Xi is. Also, let L be the unary language that contains 0™ if and only if (i) 
n = rii for some i and (ii) Xi € IIyes- Then L is in BQP S but not PH S . 
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that if BQP C AM, then the desired implication would follow immediately! For in that case, 

NP C BQP coNP C BQP 
=>- coNP C AM 



where the last implication was shown by Boppana, Hastad, and Zachos [12j . Similar remarks apply 
to the questions of whether NP C BQP would imply PH C BQP, and whether the folklore result 
nr bpp gppNP hag the quantum analogue NP BQP C BQP NP . In each of these cases, we find that 
understanding some other issue in quantum complexity theory requires first coming to grips with 
whether BQP is contained in some level of the polynomial hierarchy. 

1.2 Our Results 

This paper presents the first formal evidence for the possibility that BQP <f_ PH. Perhaps more 
importantly, it places the relativized BQP versus PH question at the frontier of (classical) circuit 
lower bounds. The heart of the problem, we will find, is to extend Braverman's spectacular recent 
proof [13] of the Linial-Nisan Conjecture, in ways that would reveal a great deal of information 
about small-depth circuits independent of the implications for quantum computing. 

We have two main contributions. First, we achieve an oracle separation between BQP and PH 
for the case of relation problems. A relation problem is simply a problem where the desired output 
is an n-bit string (rather than a single bit), and any string from some nonempty set S is acceptable. 
Relation problems arise often in theoretical computer science; one well-known example is finding 
a Nash equilibrium (shown to be PPAD-complete by Daskalakis et al. [15J). Within quantum 
computing, there is considerable precedent for studying relation problems as a warmup to the 
harder case of decision problems. For example, in 2004 Bar-Yossef, Jayram, and Kerenidis [6] gave 
a relation problem with quantum one-way communication complexity O (log n) and randomized 
one-way communication complexity O (s/n). It took several more years for Gavinsky et al. |20j to 
achieve the same separation for decision problems, and the proof was much more complicated. The 
same phenomenon has arisen many times in quantum communication complexity [17\ fTS] fl"9j [21j [22] , 
though to our knowledge, this is the first time it has arisen in quantum query complexity. 

Formally, our result is as follows: 

Theorem 1 There exists an oracle A relative to which FBQP A <£_ FBPP PH , where FBQP and 
FBPP are the relation versions of BQP and BPP respectively^ 

Underlying Theorem [T] is a new lower bound against AC circuits (constant-depth circuits com- 
posed of AND, OR, and NOT gates). The close connection between AC and the polynomial 
hierarchy that we exploit is not new. In the early 1980s, Furst-Saxe-Sipser [16] and Yao [39] no- 
ticed that, if we have a PH machine M that computes (say) the Parity of a 2 n -bit oracle string, 
then by simply reinterpreting the existential quantifiers of M as OR gates and the universal quan- 
tifiers as AND gates, we obtain an AC circuit of size 

2 poly(n) solving the 

same problem. It follows 

that, if we can prove a 2 w ( polylogn ) lower bound on the size of AC circuits computing Parity, we 

5 Confusingly, the F stands for "function"; we are simply following the standard naming convention for classes of 
relation problems (FP, FNP, etc). 
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can construct an oracle A relative to which ©P <f_ PH . The idea is the same for constructing an 
A relative to which C A (jt PH" 4 , where C is any complexity class. 

Indeed, the relation between PH and AC is so direct that we get the following as a more-or-less 
immediate counterpart to Theorem [TJ 

Theorem 2 In the unrelativized world (with no oracle), there exists a relation problem solvable in 
quantum logarithmic time but not in nonuniform AC . 

The relation problem that we use to separate BQP from PH, and BQLOGTIME from AC , is 
called Fourier Fishing. The problem can be informally stated as follows. We are given oracle 
access to n Boolean functions fi, ■ ■ ■ , f n '■ {0,l} n — > { — 1,1}, which we think of as chosen uniformly 
at random. The task is to output n strings, zx,...,z n £ {0, l} n , such that the corresponding 
squared Fourier coefficients fi(zi) 2 ,...,f n (z n ) 2 are "often much larger than average." Notice 
that if fi is a random Boolean function, then each of its Fourier coefficients fi (z) follows a nor- 
mal distribution — meaning that with overwhelming probability, a constant fraction of the Fourier 
coefficients will be a constant factor larger than the mean. Furthermore, it is straightforward to 
create a quantum algorithm that samples each z with probability proportional to fi (z) 2 , so that 
larger Fourier coefficients are more likely to be sampled than smaller ones. 

On the other hand, computing any specific fi (z) is easily seen to be equivalent to summing 2 n 
bits. By well-known lower bounds on the size of AC circuits computing the Majority function 
(see Hastad [36J for example), it follows that, for any fixed z, computing fi (z) cannot be in PH 
as an oracle problem. Unfortunately, this does not directly imply any separation between BQP 
and PH, since the quantum algorithm does not compute fi (z) either: it just samples a z with 
probability proportional to fi (z) 2 . However, we will show that, if there exists a BPP PH machine 
M that even approximately simulates the behavior of the quantum algorithm, then one can solve 
Majority by means of a nondeterministic reduction — which uses approximate counting to estimate 
Pr [M outputs z], and adds a constant number of layers to the AC circuit. The central difficulty 
is that, if M knew the specific z for which we were interested in estimating /, (z), then it could 
choose adversarially never to output that z. To solve this, we will show that we can "smuggle" a 
Majority instance into the estimation of a random Fourier coefficient fi (z), in such a way that 
it is information-theoretically impossible for M to determine which z we care about. 

Our second contribution is to define and study a new black-box decision problem, called 
Fourier Checking. Informally, in this problem we are given oracle access to two Boolean 
functions f,g : {0,1}"" — ► {—1,1}, and are promised that either 

(i) / and g are both uniformly random, or 

(ii) / is uniformly random, while g is extremely well correlated with f's Fourier transform over 

(which we call "forrelated" ) . 

The problem is to decide whether (i) or (ii) is the case. 

It is not hard to show that Fourier Checking is in BQP: basically, one can prepare a uniform 
superposition over all x £ {0, l} n , then query /, apply a quantum Fourier transform, query g, and 
check whether one has recovered something close to the uniform superposition. On the other 
hand, being forrelated seems like an extremely "global" property of / and g: one that would not 
be apparent from querying any small number of / (x) and g (y) values, regardless of the outcomes 
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of those queries. And thus, one might conjecture that Fourier Checking (as an oracle problem) 
is not in PH. 

In this paper, we adduce strong evidence for that conjecture. Specifically, we show that for every 
k < 2 n / 4 , the forrelated distribution over (f,g) pairs is O (A; 2 /2 n / 2 ) -almost k-wise independent. By 
this we mean that, if one had 1/2 prior probability that / and g were uniformly random, and 1/2 
prior probability that / and g were forrelated, then even conditioned on any k values of / and g, 
the posterior probability that / and g were forrelated would still be 

We conjecture that this almost fc-wise independence property is enough, by itself, to imply that an 
oracle problem is not in PH. We call this the Generalized Linial-Nisan Conjecture. 

Without the ±0 [k 2 /2 n / 2 ) error term, our conjecture would be equivalent^ to a famous con- 
jecture in circuit complexity made by Linial and Nisan [28] in 1990. Their conjecture stated that 
poly logarithmic independence fools AC : in other words, every probability distribution over iV-bit 
strings that is uniform on every small subset of bits, is indistinguishable from the truly uniform 
distribution by AC circuits. When we began investigating this topic a year ago, even the original 
Linial-Nisan Conjecture was still open. Since then, Braverman [13] (building on earlier work by 
Bazzi [7J and Razborov |30j) has given a beautiful proof of that conjecture. In other words, to 
construct an oracle relative to which BQP <f_ PH, it now suffices to generalize Braverman's Theorem 
from fc-wise independent distributions to almost fc-wise independent ones. We believe that this is 
by far the most promising approach to the BQP versus PH problem. 

Alas, generalizing Braverman's proof is much harder than one might have hoped. To prove the 
original Linial-Nisan Conjecture, Braverman showed that every AC function / : {0, 1}™ — * {0, 1} 
can be well-approximated, in the Li-norm, by low-degree sandwiching polynomials: real polynomials 
Pt,p u : M n — > M, of degree O (polylogn), such that pe (x) < f (x) < p u (x) for all x G {0, l} n . Since 
Pl and p u trivially have the same expectation on any fe-wise independent distribution that they 
have on the uniform distribution, one can show that / must have almost the same expectation as 
well. To generalize Braverman's result from fc-wise independence to almost /c-wise independence, 
we will show that it suffices to construct low-degree sandwich polynomials that satisfy a certain 
additional condition. This new condition (which we call "low-fat" ) basically says that pi and p u 
must be representable as linear combinations of terms (that is, products of Xi's and (1 — ccj)'s), in 
such a way that the sum of the absolute values of the coefficients is bounded — thereby preventing 
"massive cancellations" between positive and negative terms. Unfortunately, while we know two 
techniques for approximating AC functions by low-degree polynomials — that of Linial-Mansour- 
Nisan [27] and that of Razborov [29] and Smolensky [35] — neither technique provides anything like 
the control over coefficients that we need. To construct low-fat sandwiching polynomials, it seems 
necessary to reprove the LMN and Razborov-Smolensky theorems in a more "conservative," less 
"profligate" way. And such an advance seems likely to lead to breakthroughs in circuit complexity 
and computational learning theory having nothing to do with quantum computing. 

Let us mention two further applications of Fourier Checking: 

(1) If the Generalized Linial-Nisan Conjecture holds, then just like with Fourier Fishing, we 
can "scale down by an exponential," to obtain a promise problem that is in BQLOGTIME but 
not in AC . 

6 Up to unimportant variations in the parameters 
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(2) Without any assumptions, we can prove the new results that there exist oracles relative to 
which BQP (£_ BPP pat h and BQP <f_ SZK. We can also reprove all previous oracle separations 
between BQP and classical complexity classes in a unified fashion. 

To summarize our conclusions: 

Theorem 3 Assuming the Generalized Linial-Nisan Conjecture, there exists an oracle A relative 
to which BQP" 4 <f_ PH" 4 , and there also exists a promise problem in BQLOGTIME \ AC . Uncondi- 
tionally, there exists an oracle A relative to which BQP" 4 <£_ BPP^ ath and BQP" 4 SZK" 4 . 

As a candidate problem, Fourier Checking has at least five advantages over the Recursive 
Fourier Sampling problem of Bernstein and Vazirani [11]. First, it is much simpler to define and 
reason about. Second, Fourier Checking has the almost /c-wise independence property, which 
is not shared by Recursive Fourier Sampling, and which immediately connects the former 
to general questions about pseudorandomness against constant-depth circuits. Third, Fourier 
Checking can yield exponential separations between quantum and classical models, rather than 
just quasipolynomial ones. Fourth, one can hope to use Fourier Checking to give an oracle 
relative to which BQP is not in PH [n c ] (or PH with n c alternations) for any fixed c; by contrast, 
Recursive Fourier Sampling is in PH [logra]. Finally, it is at least conceivable that the quantum 
algorithm for Fourier Checking is good for something. We leave the challenge of finding an 
explicit computational problem that "instantiates" Fourier Checking, in the same way that 
Factoring and Discrete Logarithm instantiated Shor's period-finding problem. 

1.3 In Defense of Oracles 

This paper is concerned with finding oracles relative to which BQP outperforms classical complexity 
classes. As such, it is open to the usual objections: "But don't oracle results mislead us about the 
'real' world? What about non-relativizing results like IP = PS PACE [32]?" 

In our view, it is most helpful to think of oracle separations, not as strange metamathematical 
claims, but as lower bounds in a concrete computational model that is natural and well-motivated in 
its own right. The model in question is query complexity, where the resource to be minimized is the 
number of accesses to a very long input string. When someone gives an oracle A relative to which 
C" 4 ^ T> A , what they really mean is simply that they have found a problem that C machines can 
solve using superpolynomially fewer queries than T> machines. In other words, C has has "cleared 
the first possible obstacle" — the query complexity obstacle — to having capabilities beyond those of 
V. Of course, it could be (and sometimes is) that C C V for other reasons, but if we do not even 
have a query complexity lower bound, then proving one is in some sense the obvious place to start. 

Oracle separations have played a role in many of the central developments of both classical and 
quantum complexity theory. As mentioned earlier, proving query complexity lower bounds for 
PH machines is essentially equivalent to proving size lower bounds for AC circuits — and indeed, 
the pioneering AC lower bounds of the early 1980s were explicitly motivated by the goal of prov- 
ing oracle separations for PH0 Within quantum computing, oracle results have played an even 
more decisive role: the first evidence for the power of quantum computers came from the oracle 

7 Yao's paper [35] was entitled "Separating the polynomial-time hierarchy by oracles"; the Furst-Saxe-Sipser paper 
[16] was entitled "Parity, circuits, and the polynomial time hierarchy." 
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separations of Bernstein- Vazirani [TT] and Simon [34] , and Shor's algorithm [33] contains an oracle 
algorithm (for the Period-Finding problem) at its core. 

Having said all that, if for some reason one still feels averse to the language of oracles, then 
(as mentioned before) one is free to scale everything down by an exponential, and to reinterpret a 
relativized separation between BQP and PH as an imrelativized separation between BQLOGTIME 
and AC . 



2 Preliminaries 



It will be convenient to consider Boolean functions of the form / : {0, l} n — > { — 1, 1}. Throughout 
this paper, we let N = 2 n ; we will often view the truth table of a Boolean function as an "input" 
of size N. Given a Boolean function / : {0, l} n — > { — 1, 1}, the Fourier transform of / is defined as 



Recall Parseval's identity: 



n-y-js E c-ir/w- 



xe{o,i} 



E 

26{0,l} n 



ze{o,i} n 



N. 



2.1 Problems 

We first define the Fourier Fishing problem, in both "distributional" and "promise" versions. In 
the distributional version, we are given oracle access to n Boolean functions fi, ■ ■ ■ , f n ■ {0, l} n — ► 
{ — 1, 1}, which are chosen uniformly and independently at random. The task is to output n strings, 



G {0, l} n , at least 75% of which satisfy fi {zi) 



> 1 and at least 25% of which satisfy 



fi ( z i) 



> 2. (Note that these thresholds are not arbitrary, but were carefully chosen to produce 

a separation between the quantum and classical models!) 

We now want a version of Fourier Fishing that removes the need to assume the /j's are 
uniformly random, replacing it with a worst-case promise on the /j's. Call an n-tuple {fx, . . . , f n ) 
of Boolean functions good if 



E E $ te) 2 ^ °- 8iVn ' 

i=1 zi--\fi(zi)\>l 
n 

E E ^ ( z ^ 2 ^ °- 2QNn - 

i=1 Zi-\fi{zi)\>2 

(We will show in Lemma[8]that the vast majority of (/i, . . . , f n ) are good.) In Promise Fourier 
Fishing, we are given oracle access to Boolean functions fx, . . . , f n : {0, l} n — ► { — 1,1}, which are 
promised to be good. The task, again, is to output strings zi,...,z n £ {0, l} n , at least 75% of 

which satisfy fi (zi) > 1 and at least 25% of which satisfy fi (z^ > 2. 

Next we define a decision problem called Fourier Checking. Here we are given oracle access 
to two Boolean functions /, g : {0, l} n — > { — 1, 1}. We are promised that either 
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(i) (/, g) was drawn from the uniform distribution U, which sets every / (x) and g (y) by a fair, 
independent coin toss. 

(ii) (f,g) was drawn from the "forrelated" distribution J 7 , which is defined as follows. First 
choose a random real vector v = (v x ) x& ^ jin e R N , by drawing each entry independently 
from a Gaussian distribution with mean and variance 1. Then set / (x) := sgn(v x ) and 
g (x) := sgn (v x ) for all x. Here 



sgn(a) :-- 



1 if a > 
-1 if a < 



and v is the Fourier transform of v over Z£ : 



1u v 



iV 

xe{o,i} r 



x-y 



In other words, / and g individually are still uniformly random, but they are no longer 
independent: now g is now extremely well correlated with the Fourier transform of / (hence 
"forrelated"). 

The problem is to accept if (/, g) was drawn from J 7 , and to reject if (/, g) was drawn from U. Note 
that, since J- and IA overlap slightly, we can only hope to succeed with overwhelming probability 
over the choice of {f,g), not for every (f,g) pair. 

We can also define a promise-problem version of Fourier Checking. In Promise Fourier 
Checking, we are promised that the quantity 

P(f>B)-=jj*\ >J f{x)(-lf y g{y) 

is either at least 0.05 or at most 0.01. The problem is to accept in the former case and reject in 
the latter case. 



2.2 Complexity Classes 

See the Complexity ZocEl for the definitions of standard complexity classes, such as BQP, AM, and 
PH. When we write C PH (i.e., a complexity class C with an oracle for the polynomial hierarchy), 
we mean Ufc>]C *. 

We will consider not only decision problems, but also relation problems (also called function 
problems). In a relation problem, the output is not a single bit but a poly (n)-bit string y. There 
could be many valid y's for a given instance, and the algorithm's task is to output any one of them. 

The definitions of FP and FNP (the relation versions of P and NP) are standard. We now define 
FBPP and FBQP, the relation versions of BPP and BQP. 

Definition 4 FBPP is the class of relations R C {0, 1}* x {0, 1}* for which there exists a proba- 
bilistic polynomial-time algorithm A that, given any input x G {0, l} n , produces an output y such 
that 

Pv[(x,y)eR] = l-o(l), 

s www.complexityzoo.com 
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where the probability is over A's internal randomness. (In particular, this implies that for every 
x, there exists at least one y such that (x,y) 6 R.) FBQP is defined the same way, except that A 
is a quantum algorithm rather than a classical one. 

An important point about FBPP and FBQP is that, as far as we know, these classes do not 
admit amplification. In other words, the value of an algorithm's success probability might actually 
matter, not just the fact that the probability is bounded above 1/2. This is why we adopt the 
convention that an algorithm "succeeds" if it outputs (x,y) € R with probability 1 — o(l). In 
practice, we will give oracle problems for which the FBQP algorithm succeeds with probability 
1 — 1/exp (n), while any FBPP PH algorithm succeeds with probability at most (say) 0.99. How far 
the constant in this separation can be improved is an open problem. 

Another important point is that, while BPP PH = P PH (which follows from BPP C Z P ), the class 
pgppPH - g s t r i c tly larger than FP PH . To see this, consider the relation 

R = {(0 n ,y):K(y)>n}, 

where we are given n, and asked to output any string of Kolmogorov complexity at least n. Clearly 
this problem is in FBPP: just output a random 2n-bit string. On the other hand, just as obviously 
the problem is not in FP PH . This is why we need to construct an oracle A such that FBQP" 4 <£_ 
pgppPH . |3 ecause constructing an oracle A such that FBQP A FP PH is trivial and not even 
related to quantum computing. 

We now discuss some "low- level" complexity classes. AC is the class of problems solvable by 
a nonuniform family of AND/OR/NOT circuits, with depth 0(1), size poly(n), and unbounded 
fanin. When we say "AC circuit," we mean a constant-depth circuit of AND/OR/NOT gates, not 
necessarily of polynomial size. Any such circuit can be made into a formula (i.e., a circuit of fanout 
1) with only a polynomial increase in size. The circuit has depth d if it consists of d alternating 
layers of AND and OR gates (without loss of generality, the NOT gates can all be pushed to the 
bottom, and we do not count them towards the depth). For example, a DNF (Disjunctive Normal 
Form) formula is just an AC circuit of depth 2. 

We will also be interested in quantum logarithmic time, which can be defined naturally as 
follows: 

Definition 5 BQLOGTIME is the class of languages L C {0, 1}* that are decidable, with bounded 
probability of error, by a LOGT\ME-uniform family of quantum circuits {C n } n such that each C n 
has O(logn) gates, and can include gates that make random-access queries to the input string 
x = x± . . . x n (i.e., that map \i) \z) to \i) \z © Xj) for every i £ [n]). 

One other complexity class that arises in this paper, which is less well known than it should be, 
is BPPpath- Loosely speaking, BPP pat h can be defined as the class of problems that are solvable 
in probabilistic polynomial time, given the ability to "postselect" (that is, discard all runs of the 
computation that do not produce a desired result, even if such runs are the overwhelming majority). 
Formally: 

Definition 6 BPP pat h is the class of languages L C {0, 1}* for which there exists a BPP machine 
M, which can either "succeed" or "fail" and conditioned on succeeding either "accept" or "reject," 
such that for all inputs x: 
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M (x) succeeds] > | . 
M (x) succeeds] < | . 

BPPpath was defined by Han, Hemaspaandra, and Thierauf [25] . who also showed that MA C 
BPPpath and P^ p C BPP path C BPP^ P . Using Fourier Checking, we will construct an oracle 

A relative to which BQP^ 4 (£ BPP^ ath . This result might not sound amazing, but (i) it is new, 
(ii) it does not follow from the "standard" quantum algorithms, such as those of Simon |34j and 
Shor [33J, and (iii) it supersedes almost all previous oracle results placing BQP outside classical 
complexity classes!! As another illustration of the versatility of Fourier Checking, we use it 
to give an A such that BQP" 4 <f_ SZK" 4 , where SZK is Statistical Zero Knowledge. The opposite 
direction — an A such that SZK" 4 <f_ BQP" 4 — was shown by Aaronson p] in 2002. 



(i) Pr [M (x) succeeds] > 0. 

(ii) x £ L ==>- Pr [M (x) accepts 
(iii) x ^ L ==> Pr [M (x) accepts 



3 Quantum Algorithms 

In this section, we show that Fourier Fishing and Fourier Checking both admit simple 
quantum algorithms. 



3.1 Quantum Algorithm for Fourier Fishing 

Here is a quantum algorithm, FF-ALG, that solves FOURIER FISHING with overwhelming probability 
in O (n 2 ) time and n quantum queries (one to each fa). For i := 1 to n, first prepare the state 

7= Yl & ^ ^ ' 

ze{0,i} n 

then apply Hadamard gates to all n qubits, then measure in the computational basis and output 
the result as Zi. 

Intuitively, FF-ALG samples the Fourier coefficients of each fi under a distribution that is skewed 
towards larger coefficients; the algorithm's behavior is illustrated pictorially in Figured) We now 
give a formal analysis. Recall the definition of a "good" tuple ••-,/«) from Section [27TI 
Assuming (/i, . . . , /„) is good, it is easy to analyze FF-ALG's success probability. 

Lemma 7 Assuming (fx, ... , f n ) is good, FF-ALG succeeds with probability 1 — 1/ exp (n). 



Proof. Let {z\, . . . , z n ) be the algorithm's output. For each i, let Xi be the event that fa (z{ 



> 1 



and let Yi be the event that 



fi( z i) > 2. Also let pi := Pr [Xi] and := Pr[Y^], where the 



9 The one exception is the result of Green and Pruim [24] that there exists an A relative to which BQP" 4 P K 
but that can also be easily reproduced using Fourier Checking. 
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Figure 1: The Fourier coefficients of a random Boolean function follow a Gaussian distribution, 
with mean and variance 1. However, larger Fourier coefficients are more likely to be observed 
by the quantum algorithm. 

probability is over FF-ALG's internal (quantum) randomness. Then clearly 

Zi-\fi(Zi)\>l 

*i:|£(*i)|>2 

So by assumption, 

pH h p n > 0.8n, 

q% + ■ ■ ■ + q n > 0.26n. 

By a Chernoff/Hoeffding bound, it follows that 

Pr [Xi + • • • + X n > 0.75n] > 1 —. — -, 

exp (n) 

Pr \Yx + ■ ■ ■ + Y n > 0.25n] > 1 —. — -. 

exp (n) 

Hence FF-ALG succeeds with 1 — 1/exp (n) probability by the union bound. ■ 
We also have the following: 

Lemma 8 (fx, . . . , f n ) is good with probability 1 — 1/ exp (n), if the fi 's are chosen uniformly at 
random. 
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Proof. Choose / : {0, l} n — > { — 1, 1} uniformly at random. Then for each z, the Fourier coefficient 
/ (z) follows a normal distribution, with mean and variance 1. So in the limit of large N, 



E 

/ 



E ?w ! 

|/W|>i 



E Pr [' (z) 

ze{o,i} n 
2N r °° 



> 1 



E 



/(*r i /(*) 



> i 



'2n Ji 
0.801JV. 



x2 l 2 x 2 dx 



Likewise, 



E 

/ 



E /(*) 

*|/0)|>2 



2iV 



27T J2 

ps 0.261JV. 

Since the /j's are chosen independently of one another, it follows by a Chernoff bound that 



E E fi ( z rf ^ °- 8Nn > 

i=1 Zi:\fi(zi)\>l 
n 

E E f* &) 2 ^ °- 26Nn 

i=1 Zi:\fi(zi)\>2 

with probability 1 — 1/ exp (n) over the choice of (/i, . . . , / n ). ■ 

Combining Lemmas [7] and El we find that FF-ALG succeeds with probability 1 — 1/ exp (n), where 
the probability is over both (fx, ... , /„) and FF-ALG's internal randomness. 

3.2 Quantum Algorithm for Fourier Checking 

We now turn to Fourier Checking, the problem of deciding whether two Boolean functions f,g 
are independent or forrelated. Here is a quantum algorithm, FC-ALG, that solves Fourier Check- 
ing with constant error probability using 0(1) queries. First prepare a uniform superposition over 
all x £ {0, l} n . Then query / in superposition, to create the state 

^ E /(*)i*> 

xe{o,i} n 

Then apply Hadamard gates to all n qubits, to create the state 

i E /(zH-iHh/)- 

Then query g in superposition, to create the state 



1 E f{x){-ir y g{y)\y)- 



z,j/e{o,i} r 
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Then apply Hadamard gates to all n qubits again, to create the state 



£ f(x)(-ir y g(y)(-ir z \z) 




AT3/2 

x,y,ze{0,l} n 

Finally, measure in the computational basis, and "accept" if and only if the outcome |0)® n is 
observed. If needed, repeat the whole algorithm O (1) times to boost the success probability. 
It is clear that the probability of observing lO}®" (in a single run of FC-ALG) equals 

P (/.»)== ^3 I X f(x)(-lf y g(y) 

Recall that Promise Fourier Checking was the problem of deciding whether p (f, g) > 0.05 
or p(f,g) < 0.01, promised that one of these is the case. Thus, we immediately get a quantum 
algorithm to solve Promise Fourier Checking, with constant error probability, using O (1) 
queries to / and g. 

For the distributional version of Fourier Checking, we also need the following theorem. 
Theorem 9 If (/, g) is drawn from the uniform distribution U, then 

£[»(/,»)] = ^ 

If if,g) is drawn from the forrelated distribution T ', then 

E[p (/,<?)]> 0.07. 

Proof. The first part follows immediately by symmetry (i.e., the fact that all N = 2 n measurement 
outcomes of the quantum algorithm are equally likely). 

For the second part, let v 6 be the vector of independent Gaussians used to generate / and 
g, let w = v I ||u|| 2 be v scaled to have unit norm, and let H be the n-qubit Hadamard matrix. Also 
let flat (w) be the unit vector whose x th entry is sgn (w x ) /y/~N = f (x) /\/~N, and let flat (Hw) be 
the unit vector whose x th entry is sgn (v x ) /V~N = g (x) /\fN. Then p (f,g) equals 

(flat (wf HQat(Hw)y , 

or the squared inner product between the vectors flat (w) and H flat (Hw). Note that w T ■ HHw = 
w T w = 1. So the whole problem is to understand the "discretization error" incurred in replacing w T 
by flat (w) T and HHw by H flat (Hw). By the triangle inequality, the angle between flat (w) and 
H flat (Hw) is at most the angle between flat (w) and w, plus the angle between w and H flat (Hw). 
In other words: 

arccos ^flat (w) T H Hat (Hw)^j < arccos ^flat (w) T w^j + arccos (w T H flat (Hw)} . 
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Now, 



flat (w) T w = ^2 w x 
»e{o,i} n 



1 \w x \ 



N w x 



-= i w x i 

ae{o,i}" 



6{0,1} 



Recall that each is an independent real Gaussian with mean and variance 1, meaning that 
each \v x \ is an independent nonnegative random variable with expectation ^Jljix. So by standard 
tail bounds, for all constants e > we have 



Pr 

V 



xe{o,i} n 



< 



1 



Pr 



\v\\l>(l + e)N 



< 



exp (N) ' 
1 

exp (N) ' 



So by the union bound, 



Pr 

V 



flat (w) T w < J- - e 



< 



exp (N) ' 



Since H is unitary, the same analysis applies to w T H flat (Hw). Therefore, for all constants e > 0, 
with 1 — 1/ exp (N) probability we have 



arccos ( flat (w) w) < ^arccos y — J + e, 



arccos (w T HHat(Hw)) < arccos \ — 



+ e. 



So setting e = 0.0001, 

arccos (flat (w) T HRat (Hw)) < arccos (flat (w) T wj + arccos (ui T .£f flat (Hw)} 



< 2 ^arccos y — J + 2e 

< 1.3 

Therefore, with 1 — 1/ exp (N) probability over (/, g) drawn from J 7 , 

flat (w f H flat (Hw) > cos 1.3, 

in which case p (f,g) > (cosl.3) 2 « 0.072. ■ 

Combining Theorem [9] with Markov's inequality, we immediately get the following: 
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Corollary 10 




4 The Classical Complexity of Fourier Fishing 

In Section 13.11 we gave a quantum algorithm for Fourier Fishing that made only one query to 
each /j. By contrast, it is not hard to show that any classical algorithm for Fourier Fishing 
requires exponentially many queries to the /Vs. In this section, we prove a much stronger result: 
that Fourier Fishing is not in FBPP PH . This result does not rely on any unproved conjectures. 

4.1 Constant-Depth Circuit Lower Bounds 

Our starting point will be the following AC lower bound, which can be found in the book of Hastad 
[36] for example. 

Theorem 11 ([36]) Any depth-d circuit that accepts all n-bit strings of Hamming weight n/2 + 1, 
and rejects all strings of Hamming weight n/2, has size exp 

We now give a corollary of Theorem II 11 which (though simple) seems to be new, and might be 
of independent interest. Consider the following problem, which we call e-BiAS Detection. We 
are given a string y = y\ . . . y m £ {0, l} m , and are promised that each bit j/, is 1 with independent 
probability p. The task is to decide whether p = 1/2 or p = 1/2 + e. 

Corollary 12 LetlA [e] be the distribution over {0, l} m where each bit is 1 with independent prob- 
ability 1/2 + e. Then any depth-d circuit C such that 



has size exp (^(l/e 1 /^))). 

Proof. Suppose such a distinguishing circuit C exists, with depth d and size S, for some s > (the 
parameter m is actually irrelevant). Let n = 1/e, and assume for simplicity that n is an integer. 
Using C, we will construct a new circuit C with depth d' = d + 3 and size S' = O (nS) + poly (n), 
which accepts all strings x £ {0, 1}™ of Hamming weight n/2 + 1, and rejects all strings of Hamming 
weight n/2. By Theorem lll| this will imply that the original circuit C must have had size 



So fix an input x £ {0, l} n , and suppose we choose m bits . . . ,Xi m from x, with each index ij 
chosen uniformly at random with replacement. Call the resulting m-bit string y. Observe that if 




poly (n) 
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x had Hamming weight n/2, then y will be distributed according to IA [0], while if x had Hamming 
weight n/2 + 1, then y will be distributed according to IA [e]. So by assumption, 



Pr[C(y) | |x| = n/2] = a, 
Pr[C(y) | |x| =n/2 + l] = a + 5 

for some constants a and # ^ (we can assume 5 > without loss of generality). 

Now suppose we repeat the above experiment T = kn times, for some constant k = k(a,5). 
That is, we create T strings y\, . . . , yx by choosing random bits of x, so that each yi is distributed 
independently according to either IA [0] or IA [e]. We then apply C to each y^. Let 

Z = C( yi ) + --- + C(y T ) 

be the number of C invocations that accept. Then by a Chernoff bound, if \x\ = n/2 then 

5, ~ 



while if \x\ = n/2 + 1 then 



Pr 



Pr 



Z > aT + -T 
3 



28 ' 

Z <aT + —T 
3 



< exp (— n) , 



< exp (— n) 



By taking k large enough, we can make both of these probabilities less than 2 " . By the union 
bound, this implies that there must exist a way to choose yi, . . . , yx so that 



n 

Fl - j 

= - + 1 
2 



Z < aT + -T, 
3 

25 

Z > aT H T 

3 



for every x with |z| G {n/2, n/2 + 1} simultaneously. In forming the circuit C, we simply hardwire 
that choice. 

The last step is to decide whether Z < aT + |T or Z > aT + ^-T. This can be done using 
an AC circuit for the Approximate Majority problem (see Viola [37] for example), which has 
depth 3 and size poly (T). The end result is a circuit C to distinguish \x\ = n/2 from \x\ = n/2 + 1, 
which has depth d + 3 and size TS + poly (T) = O (nS) + poly (n). ■ 



4.2 Secretly Biased Fourier Coefficients 

In this section, we prove two lemmas indicating that one can slightly bias one of the Fourier 
coefficients of a random Boolean function / : {0,l} ra — ► {—1,1}, and yet still have / be information- 
theoretically indistinguishable from a random Boolean function (so that, in particular, an adversary 
has no way of knowing which Fourier coefficient was biased) . These lemmas will play a key role in 
our reduction from e-BiAS Detection to FOURIER Fishing. 

Fix a string s S {0, l} n . Let A [s] be the probability distribution over functions / : {0, l} n — ► 
{— 1, 1} where each / (x) is 1 with independent probability \ + (— l) s ' x Tr^j and let B [s] be the 

distribution where each / (x) is 1 with independent probability 5 — (—l) s x -^j^- Then let V [s] = 

\ {A [s] + B [s]) (that is, an equal mixture of A [s] and B [s]). 
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Lemma 13 Suppose Alice chooses s £ {0, 1}™ uniformly at random, then draws f according to 
V [s] . She keeps s secret, but sends the truth table of f to Bob. After examining f , Bob outputs 



a string z such that 



f(z) 



> (3. Then 



Pr [s = z]> 



e? + e-f 
2^/eN ' 



where the probability is over all runs of the protocol. 



Proof. By Yao's principle, we can assume without loss of generality that Bob's strategy is deter- 
ministic. For each z, let T [z] be the set of all /'s that cause Bob to output z. Then the first step 
is to lower-bound Pr^^j [/], for some fixed z and / G T[z\. Let Nf [z] be the number of inputs 



x G {0, l} n such that / (x) = {-l) z ' x . It is not hard to see that N f [z] = f + 



Nf(z) 



So 



Pr [/] 

v[z] LJJ 




1 (-1)**/ (*) 

2 2^N 



N f [z] 



1 



1 



n 

xe{o,i} n 

N-N f [z_ 



i (-ir/w 



N 

(VWf(z)+N)/2 



\ 



(i - i/Vjv) 



(VNf(z)-N)/2 



+ 



H 1 

1 - l/y/N 




N-N f [z] y 



N 

(VNf(z)+N)/2\ 



> 



2 N+1 

2^eW ( 

e 13 + e" 
2^2 



N/2 



'l + i/VTt 
1-i/Vn, 



(i + i/Vjv) 

/Af/( Z )/2 

+ 



m/(z)-N)/2 



1 - i/^/iv N 



i + i/Vn 



e /o) + e -/<») 



A? 



Here the second-to-last line takes the limit as iV — > oo, while the last line follows from the as- 



sumption 
y = 0. 



/(*) 



> (3, together with the fact that e y + e y increases monotonically away from 
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Summing over all z and /, 



Pr[s = z]= E Pr[/]-Pr[s = z | /] 

Pr [/ | s = z] Pr [s = z] 



> 



E E Pr m 

ze{0,i} n /e^M 

l y y p r [/] 

2 e{o,i}"/e^[ 2 ] lJ 
e^ 3 + e~P 



2^~eN 



Pr[/] 



Now let £> = E s [D [s]] (that is, an equal mixture of all the D[s]'s). We claim that V is 
extremely close in variation distance to U, the uniform distribution over all Boolean functions 
/:{0,l} n -{-1,1}. 

Lemma 14 \\V-U\\ < e r* . 



Proof. By a calculation from Lemma [T3l for all / and s we have 

1 



£[.] [f] 2^2 N 



+ e 



-/(«) 



in the limit of large N. Hence 



Pr If] = E 

V s 



if] 



V\s\ 



2y/eN2 



N 



E 



e /(-) + e -/W 



se{o,i} r 



Clearly E/ [Pr© [/]] = 1/2 N . Our goal is to upper-bound the variance Vary [Pr© [/]], which mea- 
sures the distance from D to the uniform distribution. In the limit of large N, we have 



E 



Pr[/]' 



1 



AeN 2 2 2N 
1 



+ 



e /(*) +e -/(t) 



e + e" 



_;E ) 2 dx 



4eN 2 2 2N \ + J2 



1 



-^ ¥W [(2e* + 2)N + AeN(N-l) 



i ^ 1 + (e-ir 



2 2iV 



2eiV 



Hence 



Var 

/ 



£[/] 



E 



pr[/r 



E 



Pr [/] 



1)' 
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So by Cauchy-Schwarz, 



E 

/ 



Pr [/] 
v 



Pr [/] 

u 11 



< 



'Var 



and 



YD — U\\ < 



Pr[/] 



1 



1 1 



V2e~N 2 N 



2^2eN 



An immediate corollary of Lemma [T4l is that, if a Fourier Fishing algorithm succeeds with 
probability p on {fi, ■ ■ ■ , f n ) drawn from U n , then it also succeeds with probability at least 



P 



\D n -U n \\ > p 



(e — 1) n 
2V2eN 



on (/i, . . . , f n ) drawn from D n . 
4.3 Putting It All Together 

Using the results of Sections 14. II and 14.21 we are now ready to prove a lower bound on the constant- 
depth circuit complexity of Fourier Fishing. 

Theorem 15 Any depth-d circuit that solves the FOURIER Fishing problem, with probability at 
least 0.99 over fx, ■ ■ ■ , f n chosen uniformly at random, has size exp 

Proof. Let C be a circuit of depth d and size s. Let G be the set of all (/i, . . . , /„) on which C 



succeeds: that is, for which it outputs z%, . . . , z n , at least 75% of which satisfy 



fi (zi) 



> 1 and at 



least 25% of which satisfy 



fi ^i) 



> 2. Suppose 



Pr[(/i,...,/n)eG]>0.99. 



Then by Lemma [T4"l we also have 



( p — 1 I 77 

Pr K/i, ...,/„) € G] > 0.99 - ^-j==- > 0.98 

for sufficiently large n. 

Using the above fact, we will convert C into a new circuit C that solves the e-BiAS Detection 
problem of Corollary [T2| with e := • This C will have depth d' = d + 2 and size S' = O (NS). 
By Corollary fT2| this will imply that C itself must have had size 

S = exp (n (l/e 1 ^'^ 

= ex P (n (V/( M + 8 ))) . 

Let M = N 2 n, and let R = T\...Vm £ {0, 1} be a string of bits where each rj is 1 with 
independent probability p. We want to decide whether p = 1/2 or p = 1/2 + e — that is, whether R 
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was drawn from U [0] or U [e]. We can do this as follows. First, choose strings sx, . . . , s n G {0, l} n , 
bits 6j, . . . , 6 n € {0, 1}, and an integer G [n] uniformly at random. Next, define Boolean functions 
fx, ...,/„: {0, 1}™ — ► { — 1, 1} using the first Nn bits of R, like so: 

Finally, feed (fx, . . . , / n ) as input to C, and consider Zk, the A:*' 1 output of C (discarding the other 
n — 1 outputs). We are interested in Pr [zk = Sk], where the probability is over R, sx, . . . , s n , 
b\, . . . , b n , and fc. 

If p = 1/2, notice that fx, ■ ■ ■ , fn are independent and uniformly random regardless of s%, . . . , s n . 
So C gets no information about Sk, and Pr [zj. = Sk] = 1/N. 

On the other hand, if p = 1/2 + e, then each /j is drawn independently from the distribution 



T> [s] studied in Lemma [I3j So by the Lemma, for every i 6 [n], if /j (zi 



> (3 then 



Pr [zi = Si] > 



fi ' " 2y/EN ' 

So assuming C succeeds (that is, (fx,... , f n ) G G), we have 

, lfe 2 + e~ 2 \ l/e 1 + e~ 1 \ 1.038 
Pr [z k = s k ] > - -^^r )+-{ -^—^rr > 



fi,...J n ,k l 1 ~ 4 V J 2 V 2^iiV J ~ N 

So for a random (fx, ... , f n ) drawn according to T> n , 

( 1.038 \ 1.017 
Pr [z fc = > 0.98 — — > 



h,...,fn,k L ~ \ N J ~ N 

Notice that this is bounded above 1/N by a multiplicative constant. 

Now let us repeat the above experiment N times. That is, for all j := 1 to N, we generate 
Boolean functions fjx,..., fj n ■ {0, l} n — > {—1, 1} by the same probabilistic procedure as before, 
but each time using a new iVra-bit substring of Rj of R, as well as new s, b, and k values (denoted 
Sjx, • • • , Sj n , bjx, ■ ■ ■ , bj n , and kj). We then apply C to each n-tuple (fjx, ■ ■ ■ , fjn)- Let Zj be the 
k^ h string that C outputs when run on (fjx, ■ ■ ■ , fjn}- Then by the above, for each j G [N] we have 

1 r , 1.017 

P = 2 + £ Pr \- Z 3 = S 3k 3 \ > 

Furthermore, these probabilities are independent across the different j's. So let E be the event 
that there exists a j £ [N] such that Zj = Sjk r Then if p = 1/2 we have 

1\ N 1 



Pt[E) = 1- ( 1-- 1 ~l--< 0.633, 



while if p = 1/2 + e we have 



1 017\ Ar 

Pr [E] > 1 - ( 1 - -j^- j > 0.638. 
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It should now be clear how to create the circuit C, which distinguishes R G {0, 1} M drawn 
from U [0] from R drawn from IA [e] with constant bias. For each j G [N], generate an n-tuple 
of Boolean functions (fji, ■ ■ ■ , fj n ) from R and apply C to it; then check whether there exists a 
j G [N] such that Zj = Sjj~.. This checking step can be done by a depth-2 circuit of size O (Nn). 
Therefore, C will have depth d! = d + 2 and size s' = O (Ns). A technicality is that our choices 
of the Sji's, bjiS, and kj's were made randomly. However, by Yao's principle, there clearly exist 
Sji's, bji's, and kj's such that 

Pr \C (R)] - Pr \C (R)] > 0.638 - 0.633 = 0.005. 

U[e] L J U[o] L J 

So in forming C", we simply hardwire those choices. ■ 

Combining Theorem 1151 with standard diagonalization tricks, we can now prove an oracle sep- 
aration (in fact, a random oracle separation) between the complexity classes FBQP and FBPP PH . 

Theorem 16 FBQP" 4 <f_ FBPP PH with probability 1 for a random oracle A. 

Proof. We interpret the oracle A as encoding n random Boolean functions f n \, . . . , f nn : {0, l} n — * 
{ — 1,1} for each positive integer n. Let R be the relational problem where we are given n as 
input, and succeed if and only if we output strings zi, ■ ■ ■ , z n £ {0, l} n , at least 3/4 of which satisfy 

fni V 



> 2. Then by Lemmas [7] and [8l there exists 
Pr [M(0 n ) succeeds] > 1 



> 1 and at least 1/4 of which satisfy f n i (z^ 
an FBQP" 4 machine M such that for all n, 

1 



exp (n) ' 

where the probability is over both A and the quantum randomness. Hence Pr [M (0 n ) succeeds] > 
1 — 1/ exp (n) on all but finitely many n, with probability 1 over A. Since we can simply hardwire 
the answers on the n's for which M fails, it follows that R G FBQP" 4 with probability 1 over A. 

On the other hand, let M be an FBPP PH machine. Then by the standard conversion between 
PH and AC , for every n there exists a probabilistic AC circuit C M ,n, of size 2P ol y( n ) = 2?°^°^) , 
that takes A as input and simulates M(0 n ). By Yao's principle, we can assume without loss of 
generality that Cm,u is deterministic, since the oracle A is already random. Then by Theorem 1151 

Pr [Cmu succeeds] < 0.99 

A ' 

for all sufficiently large n. By the independence of the /m's, this is true even if we condition on 
Cm i, . . . , Cm,u-i succeeding. So as in the standard random oracle argument of Bennett and Gill 
|10j . for every fixed M we have 

Pr [C m ,i,C m ,2,Cm,3, ■ ■ ■ succeed] = 0. 



So by the union bound, 



Pr [3M : Ca/.i, C M , 2, C M ,3, ■ ■ ■ succeed] = 



as well. It follows that FBQP A gt FBPP Ph|A with probability 1 over A. m 

If we "scale down by an exponential," then we can eliminate the need for the oracle A, and get 
a relation problem that is solvable in quantum logarithmic time but not in AC . 
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Theorem 17 There exists a relation problem solvable in BQLOGTIME but not in AC . 

Proof. In our relation problem R, the input (of size M = 2 n n) will encode the truth tables of n 
Boolean functions, fa,...,f n ■ {0, 1}™ — ► { — 1, 1}, which are promised to be "good" as defined in 
Section |2~T1 The task is to solve Promise Fourier Fishing on (fa, . . . , f n ). 

By Lemma there exists a quantum algorithm that runs in O (n) = O (log M) time, making 
random accesses to the truth tables of fa, ... , f n , that solves R with probability 1 — 1/exp (n) = 
l-l/M n W. 

On the other hand, suppose R is in AC . Then we get a nonuniform circuit family {C n } n , of 
depth O (1) and size poly (M) = 2°^ n \ that solves Fourier Fishing on all tuples (fa, ... ,f n ) that 
are good. Recall that by Lemma El a 1 — 1/ exp (n) fraction of (fa, ... , f n )'s are good. Therefore 
{C n } n actually solves Fourier Fishing with probability 1 — 1/exp (n) on (fa,...,f n ) chosen 
uniformly at random. But this contradicts Theorem 1151 

Hence R G FBQLOGTIME \ FAC° (where FBQLOGTIME and FAC° are the relation versions of 
BQLOGTIME and AC respectively). ■ 

5 The Classical Complexity of Fourier Checking 

Section H] settled the relativized BQP versus PH question, if we are willing to talk about relation 
problems. Ultimately, though, we also care about decision problems. So in this section we consider 
the Fourier Checking problem, of deciding whether two Boolean functions /, g are independent 
or forrelated. In Section 13.21 we saw that Fourier Checking has quantum query complexity 
O (1). What is its classical query complexity "ip 

It is not hard to give a classical algorithm that solves Fourier Checking using O (v^V^ = 

O (2 n / 2 ) queries. The algorithm is as follows: for some K = O ^v^V^, first choose sets X = 
{x±, . . . , xk} and Y = {yi, . . . , uk} of n-bit strings uniformly at random. Then query / (xi) and 
g (yi) for all i G [K]. Finally, compute 

K 

accept if \Z\ is greater than some cutoff cK, and reject otherwise. For suitable K and c, one can 
show that this algorithm accepts a forrelated (/,<?) pair with probability at least 2/3, and accepts 
a random (/, g) pair with probability at least 1/3. We omit the details of the analysis, as they are 
tedious and not needed elsewhere in the paper. 

In the next section, we will show that Fourier Checking has a property called almost k-wise 
independence, which immediately implies a lower bound of Q. (^\fN^j = Q, (2 n / 4 ) on its classical query 

complexity (as well as exponential lower bounds on its MA, BPP pat h, and SZK query complexities). 
Indeed, we conjecture that almost /c-wise independence is enough to imply that Fourier Checking 
is not in PH. We discuss the status of that conjecture in Section [6l 

10 So long as we consider the distributional version of Fourier Checking, the deterministic and randomized query 
complexities are the same (by Yao's principle). 
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5.1 Almost fc-Wise Independence 

Let Z = z\ . . . zm € {—1, 1} M be a string. Then a literal is a term of the form and a k-term is 
a product of k literals (each involving a different Zi), which is 1 if the literals all take on prescribed 
values and otherwise. 

Let hi be the uniform distribution over { — 1, 1} M . The following definition will play a major 
role in this work. 

Definition 18 A distribution V over { — 1, 1} M is e-almost k-wise independent if for every k-term 

—Si}— 

(Note that Pr u [C] is just 2~ k .) 

Now let M = 2 n+1 = 2N, and let T be the forrelated distribution over pairs of Boolean 
functions f,g : {0,1}™ — ► { — 1,1}. That is, we sample (/, g) G T by first choosing a vector 
v = ( v x)xe{-i i} n e °f independent N (0, 1) Gaussians, then setting / (x) := sgn (v x ) for all x 
and g (y) := sgn for all y. 

Theorem 19 For all k < \/~N , the forrelated distribution T is O -almost k-wise inde- 

pendent. 

Proof. As a first step, we will prove an analogous statement for the real-valued functions F (x) := 
v x and G(y) :=v y ; then we will generalize to the discrete versions / (x) and g (y). Let U' be the 
probability measure over (F, G) that corresponds to case (i) of Fourier Checking: that is, we 
choose each F (x) and G{y) independently from the Gaussian measure M (0,1). Let T' be the 
probability measure over (F, G) that corresponds to case (ii) of Fourier Checking: that is, we 
choose each F (x) independently from N (0, 1), then set G (y) := F (y) where 

P ^ = yw £ (-^r y F(x) 

ViV a;G{0,l} n 

is the Fourier transform of F. Observe that since the Fourier transform is unitary, G has the same 
marginal distribution as F under T': namely, a product of independent JV(0, 1) Gaussians. 

Fix inputs x u ...,x K e {0, l} n of F and y±,...,yL € {0, l} n of G, for some K,L < N 1 / 4 . 
Then given constants a±, . . . , ax, b\, . . . , bi G K, let S be the set of all (F, G) that satisfy the K + L 
equations 

F ( Xi ) = Oj for all 1 < i < K, (1) 
G{ Vj ) = bj for all 1 <j < L. 

Clearly S is a (2iV — K — L)-dimensional affine subspace of M. 2N . The measure of S, under some 
probability measure \i on R 27V , is defined in the usual way as 



M(5):= / t x(F,G)d{F,G). 
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Now let 

A s := a\ + • • • + a\ + b\ + • • • + b\ 

be the squared distance between S and the origin (that is, the minimum squared 2-norm of any 
point in S). Then by the spherical symmetry of the Gaussian measure, it is not hard to see that 
S has measure 

e -As/2 



under W '. Our key claim is that 



i _ .(K + L)A s \F(S)^ i + f(K + L ) As 



J ~ U'{S) ~ V Vn 

To prove this claim: recall that the probability measure over F induced by T' is just a spherical 
Gaussian Q on R N , and that G = F uniquely determines F and vice versa. So consider the 
(N — K — L)-dimensional affine subspace T of R N defined by the K + L equations 

F (xi) = cij for all 1 < i < K, 
F ( Vj ) = bj for all 1 < j < L. 

Then T 1 (S) = Q (T): that is, to compute how much measure T 1 assigns to S, it suffices to compute 
how much measure Q assigns to T. We have 

e -A T /2 

G(T)= * 



2. K+L - 



where At is the squared Euclidean distance between T and the origin. Thus, our problem reduces 
to minimizing 

A F := £ F(x) 2 
xe{o,i} n 

over all F G T. By a standard fact about quadratic optimization, the minimal F G T will have 
the form 

F (x) = a x E x (x) + • • • + a K E K (x) + (x) + ■ ■ • + PlXl (x) 

where 

E . r x \ . = I 1 tfx = Xi 
\ otherwise 

is an indicator function, and 

(_->\x-yj 



N 

is the yj h Fourier character evaluated at x. Furthermore, the coefficients {ctilie^] '{^j}je[L] can 
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be obtained by solving the linear system 

/ 1 ±1/VN ■■■ ±1/^N \ ( ai \ 

: '•• : 

1 ±1/VN ■■■ ±l/y/N 

±l/y/N ••• ±l/y/N 10 

: ■■. : '•• 

\ ±l/y/N ■■■ ±1/VN 1 / \ P L ) 



Pi 



( «i \ 



a K 
h 



Here A is simply a matrix of covariances: the top left block records the inner product between 
each Ei and Ej (and hence is a K x K identity matrix), the bottom right block records the inner 
product between each Xi an d Xj (and hence is an L x L identity matrix), and the remaining two 
blocks of size K x L record the inner product between each and Xj- 

Thus, to get the vector of coefficients u 6 R K+L , we simply need to calculate A~ 1 w. Define 
B := I — A. Then by Taylor series expansion, 

A' 1 = (I- By 1 = I + B + B 2 + B 3 -\ 



Notice that every entry of B is at most 1/yJV in absolute value. This means that, for all positive 
integers t, every entry of B 1 is at most 



(K + Lf- 1 

in absolute value. Since K + L <C v^V, this in turn means that every entry of I — A -1 has absolute 
value O ^1/v^V^ • So A^ 1 is exponentially close to the identity matrix. Hence, when we compute 
the vector u = A~ lr w, we find that 

ai = ai + Si for all 1 < i < K, 
pj = bj + Sj for all 1 < j < L, 

for some small error terms £j and Sj. Specifically, each £j and Sj is the inner product of w, a 
(K + L)-dimensional vector of length \/A$, with a vector every entry of which has absolute value 

0(l/v^V). By Cauchy-Schwarz, this implies that 



\si\ , \Sj\ = O 



'y/(K + L) A 5 S 



N 
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for all i, j. So 



At = min > F ( 

PaT 



xe{o,i} n 

K L K L „ 

£ ?+£/?+iiX;x; Q ''- 



1=1 j=i t=i j=i 

E (a* + + E & + + 2 E E — + £i) (6j + 



1=1 J=l «=1 J=l 

A 5 ± f i^±^l^ + (^+^)!^ + (K + L) 3 a/ 



A S [1±0 



N N AT3/2 



N 



where the fourth line made repeated use of Cauchy-Schwarz, and the fifth line used the fact that 
K + L < VN. Hence 



^ (5) e- A ^/ 2 /V2^ 



■x+l 



W (5) e -A s /2/^2? 

'A s - A T 



K+L 



exp 

exp I ±() 
1±0 



2 

(K + L) A 5 



(K + L) A s 



. N 

which proves the claim. 

To prove the theorem, we now need to generalize to the discrete functions / and g. Here we are 
given a term C that is a conjunction of K + L inequalities: K of the form F (x^ < or F (x^ > 0, 
and L of the form G (yj) < or G (yj) > 0. If we fix xi, ... , xk and y±, . . . , y^, we can think 
of C as just a convex region of M. K+L . Then given an affine subspace S as defined by equation 
([I]), we will (abusing notation) write S G C if the vector (qi, . . . , ajcifh., ■ ■ ■ , Pl) is in C: that is, 
if S is compatible with the K + L inequalities that define C. We need to show that the ratio 
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Pr^- [C] I Pr^ [C] is close to 1. We can do so using the previous result, as follows: 
PrHC] _f SeC F(S)dS 



Pr u [C] f SeC U'(S)dS 



1 + n (iE+M^s 



dS 



L eC U'(S)dS 



isec* 


'e- A s/ 2 /V2^ K+L ' 




l±0 


((K+L)A S \ 
V J 




dS 


isec 


'e-*s/2/^ K+L 


dS 



:i/2) 



K+L 



±o 



sec 



■K+L' 



(K+L)A s , q \ 



(1/2) 



K+L 



2 K+L t K + L) 

1± V ^ ' o 



N 

i±*±ioi 



1±0 




'5 V2vr 



Setting k := K + L, this completes the proof. ■ 
5.2 Oracle Separation Results 

The following lemma shows that any almost A;-wise independent distribution is indistinguishable 
from the uniform distribution by BPP pat h or SZK machines. 

Lemma 20 Suppose a probability distribution T> over oracle strings is 1/t (n) -almost poly (n)-wise 
independent, for some superpolynomial function t. Then no BPP pat h machine or SZK protocol can 
distinguish D from the uniform distribution hi with non-negligible bias. 

Proof. Let M be a BPP pat h machine, and let py be the probability that M accepts an oracle 
string drawn from distribution D. Then py can be written as ay/sy, where sy is the fraction of 
M's computation paths that are postselected, and ay is the fraction of M's paths that are both 
postselected and accepting. Since each computation path can examine at most poly (n) bits and 
V is 1/t (n)-almost poly (n)-wise independent, we have 



1 



Hence 



t (n) a u 



1 



ay 

< — < 1 + 



1 



t(n) 



and 1 



1 s v 1 
< — < H ■ 

t (n) s u t (n) 



1 



ay/sy 



1 + 



1 



t{n)J a u /s u V *( n ), 
Now let P be an SZK protocol. Then by a result of Sahai and Vadhan [31] , there exist 
polynomial-time samplable distributions A and A' such that if P accepts, then — A'\\ < 1/3, 
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while if P rejects, then \\A — A'\\ > 2/3. But since each computation path can examine at most 
poly (n) oracle bits and T> is 1/t (n)-almost poly (n)-wise independent, we have || Ap — Au\\ < 1/t (n) 
and WA'j-, — A' u \\ < 1/t (n), where the subscript denotes the distribution from which the oracle string 
was drawn. Hence 

\\\A V - A' v \\ - \\A U - Al<\\\ < \\A V -A U \\ + \\A' V -A' U \\ < 

and no SZK protocol exists. ■ 

We now combine Lemma [20l and Theorem 1191 with standard diagonalization tricks, to obtain an 
oracle relative to which BQP <f_ BPP path and BQP £ SZK. 

Theorem 21 There exists an oracle A relative to which BQP A £ BPP A th and BQP A <£_ SZK A . 

Proof. The oracle A will encode the truth tables of Boolean functions fi, ■ ■ ■ and <7i, #2> • • •> 
where f n ,9n '■ {0, l} n — > { — 1,1} are on n variables each. For each n, with 1/2 probability we 
draw (fn,9n) from the uniform distribution U, and with 1/2 probability we draw (f n ,9n) from the 
forrelated distribution T . Let L be the unary language consisting of all n for which (f n ,gn) was 
drawn from T . 

By Theorem [9l there exists a BQP A machine M that decides L on all but finitely many values 
of n, with probability 1 over A. Since we can simply hardwire the values of n on which M fails, it 
follows that L S BQP A with probability 1 over A. 

On the other hand, we showed in Theorem 1191 that T is O (n) 2 /2 n / 2 ^ -almost p (n)-wise 
independent for all polynomials p. Hence, by Lemma [20l no BPP pat h machine can distinguish T 
from IA with non-negligible bias. Let E n (M) be the event that the BPP A th machine M correctly 
decides whether n £ L. Then 

Pr[£„(M)]<~+ (l), 

and moreover this is true even conditioning on E\ (M) , . . . ,E n —x (M). So as in the standard 
random oracle argument of Bennett and Gill |10| . for every fixed M we have 

Pr [Ei (M) A E 2 (M) A • • • ] = 0. 

So by the union bound, 

Pr [3M : E 1 (M) A E 2 (M) A • • • 1 = 

A 

as well. It follows that BQP A <£_ BPP A th with probability 1 over A. By exactly the same argument, 
we also get BQP A (f_ SZK A with probability 1 over A. m 

Since BPP C MA C BPP pat h, Theorem [21] supersedes the previous results that there exist oracles 
A relative to which BPP A / BQP A [UJ and BQP A MA A [38]. 

6 The Generalized Linial-Nisan Conjecture 

In 1990, Linial and Nisan [28] famously conjectured that "polylogarithmic independence fools 
AC " — or loosely speaking, that every probability distribution T> over n-bit strings that is uniform 
on all small subsets of bits, is indistinguishable from the uniform distribution by polynomial-size, 
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constant-depth circuits. We now state a variant of the Linial-Nisan Conjecture, not with the best 
possible parameters but with weaker, easier-to-understand parameters that suffice for our applica- 
tion. 

Conjecture 22 (Linial-Nisan Conjecture) LetT> be an n^ 1 ** -wise independent distribution over 
{0, l} n , and let f : {0, l} n — ► {0, 1} be computed by an AC circuit of size 2 n ° W and depth O (1). 
Then 

'Pr [/(x)]- Pr [/(*)] =o(l). 

x^D x^U 

After seventeen years of almost no progress, in 2007 Bazzi [7] finally proved Conjecture 1221 for 
the special case of depth-2 circuits (also called DNF formulas). Bazzi's proof was about 50 pages, 
but it was dramatically simplified a year later, when Razborov [30J discovered a 3-page proof. Then 
in 2009, Braverman [13] gave a breakthrough proof of the full Linial-Nisan Conjecture. 

Theorem 23 (Braverman's Theorem [13] ) Let f : {0, l} n — > {0,1} be computed by an AC 

circuit of size S and depth d, and let T> be a (log j) 7d -wise independent distribution over {0, 1}™. 
Then for all sufficiently large S, 



Pr [f(x)]~ Pr [f(x)\ 

X^T> X^AA 



< £. 



We conjecture a modest-seeming extension of Braverman's Theorem, which says (informally) 
that almost /c-wise independent distributions fool AC as well. 

Conjecture 24 (Generalized Linial-Nisan or GLN Conjecture) Let V be a l/n Q ^ -almost 
wP^-wise independent distribution over {0,1}™, and let f : {0, l} n — > {0,1} be computed by an 
AC circuit of size 2 n ° (1) and depth 0(1). Then 



Pr [/(*)]- Pr [f{x)] 

x^T> x^U 



0(1). 



By the usual correspondence between AC and PH, the GLN Conjecture immediately implies 
the following counterpart of Lemma [20l 

Suppose a probability distribution T> over oracle strings is 1/t (n)-almost poly (n) -wise 
independent, for some superpolynomial function t. Then no PH machine can distin- 
guish D from the uniform distribution U with non-negligible bias. 

And thus we get the following implication: 

Theorem 25 Assuming the GLN Conjecture, there exists an oracle A relative to which BQP A <f_ 
Phr 4 . 



Proof. The proof is the same as that of Theoreml21t the only difference is that the GLN Conjecture 
now plays the role of Lemma [20j ■ 
Likewise: 
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Theorem 26 Assuming the GLN Conjecture for the special case of depth-2 circuits (i.e., DNF 
formulas), there exists an oracle A relative to which BQP A (£_ AM" 4 . 

Proof. Just like in Theoreml2H define an oracle A and an associated language L using the Fourier 
Checking problem. Then L £ BQP A , with probability 1 over the choices made in constructing A. 
On the other hand, suppose L £ AM A with probability 1 over A. Then we claim that Fourier 
Checking can also be solved by a family of DNF formulas {^n} n >i of size 2 poly(n ): 



Pr >n (/,<?)] 

(/>9>~-7 r 



Pr b n (f,g)] 



nil) 



But since T is O (k 2 /2 n / 2 ) -almost A:- wise independent (by Theorem 119ft . such a family (p n would 
violate the depth-2 case of the GLN Conjecture. 

We now prove the claim. For simplicity, fix an input length n, and let A refer to a single 
instance (f,g) of Fourier Checking^ Let P be an AM protocol that successfully distinguishes 
the forrelated distribution T over (/, g) pairs from the uniform distribution U. We can assume 
without loss of generality that P is public- coin [23]. In other words, Arthur first sends a random 
challenge r 6 {0, l} poly ( n ) to Merlin, then Merlin responds with a witness w G {0, l} poly ( n ) ) then 
Arthur runs a deterministic polynomial-time verification procedure V (r, w) to decide whether to 
accept. By the assumption that P succeeds, 



Pr \3w : V A (r, w)] - Pr \3w : V A ( 



r, 10 



So by Yao's principle, there exists a fixed challenge r* such that 



fi(l) 



Pr \3w : V A (r*,w)] - Pr \3w: V A (r* ,w)] 



0(1) 



Now let Qa,w be the set of all queries that V A (r* ,w) makes to A, and let Ca,w (A') be a term (i.e., 
a conjunction of l's and O's) that returns TRUE if and only if A' agrees with A on all queries in 
Qa,w Then we can assume without loss of generality that C w := Ca,w depends only on w, not on 
A — since Merlin can simply tell Arthur what queries V is going to make and what their outcomes 
will be, and Arthur can reject if Merlin is lying. Let W be the set of all witnesses w such that 
Arthur accepts if C w (A) returns TRUE. Consider the DNF formula 



<p(A):= V C w (A) , 



which expresses that there exists a w causing V A (r* ,w) to accept. 
2P ol y( n ) terms with poly (n) literals each, and 



Then ip contains at most 



Pr [if (A)} 
A~T> 



Pr [ip (A)] 
A~V 



n It is straightforward to generalize to the case where Arthur can query other instances, besides the one he is trying 
to solve. 
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As a side note, it is conceivable that one could prove 



p r [<p(x)] - Pr Vp{x)] 



0(1) 



for every almost /c-wise independent distribution T> and small CNF formula <p, without getting the 
same result for DNF formulas (or vice versa). However, since BQP is closed under complement, 
even such an asymmetric result would imply an oracle A relative to which BQP" 4 (£_ AM" 4 . 

If the GLN Conjecture holds, then we can also "scale down by an exponential," to obtain an 
unrelativized decision problem that is solvable in quantum logarithmic time but not in AC . 

Theorem 27 Assuming the GLN Conjecture, there exists a promise problem in BQLOGTIME that 
is not in AC . 

Proof. In our promise problem II = (HyESinNo)) the inputs (of size M = 2 n+1 ) will encode pairs 
of Boolean functions /, g : {0, l} n — ► {—1,1}, such that 



is either at least 0.05 or at most 0.01. The problem is to accept in the former case and reject in 
the latter case. 

Using the algorithm FC-ALG from Section 1331 it is immediate that II G BQLOGTIME. On 
the other hand, suppose II e AC . Then we get a nonuniform circuit family {C n } n , of depth 
O (1) and size poly (M) = 2°( n \ that solves Fourier Checking on all pairs (/, g) such that (i) 
P (/) d) < 0.01 or (ii) p (/, g) > 0.05. By Corollary [TO] the class (i) includes the overwhelming 
majority of (/, g)'s drawn from the uniform distribution li, while the class (ii) includes a constant 
fraction of (/, g}'s drawn from the forrelated distribution T . Therefore, we actually obtain an AC 
circuit family that distinguishes U from J- with constant bias. But this contradicts Theorem [T9l 
together with the GLN Conjecture. ■ 

6.1 Low- Fat Polynomials 

Given that the GLN Conjecture would have such remarkable implications for quantum complexity 
theory, the question arises of how we can go about proving it. As we are indebted to Louay 
Bazzi for pointing out to us, the GLN Conjecture is equivalent to the following conjecture, about 
approximating AC functions by low-degree polynomials. 

Conjecture 28 (Low-Fat Sandwich Conjecture) For every function f : {0,1}™ — > {0,1} com- 
putable by an AC circuit, there exist polynomials pi,p u '■ K n — ► K of degree k = that satisfy 
the following three conditions. 

(i) Sandwiching: pi (x) < f (x) < p u (x) for all x G {0, l} n . 

(ii) L\- Approximation: ~E xr ^u [p u (x) — pi {x)\ = o (1). 

(in) Low-Fat: pi (x) andp u (x) can be written as linear combinations of terms, pg (x) = Y^c a cC (x) 
and p u (x) = Ylc ( x ) respectively, such that Y^c \ a c\ = and Y2c 2~' c '' = 
n ^K (Here a term is a product of literals of the form X{ and 1 — x%.) 
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If we take out condition (iii), then Conjecture [28] becomes equivalent to the original Linial-Nisan 
Conjecture (see Bazzi [7J for a proof). And indeed, all progress so far on "Linial-Nisan problems" 
has crucially relied on this connection with polynomials. Bazzi [7J and Razborov [30] proved 
the depth-2 case of the LN Conjecture by constructing low-degree, approximating, sandwiching 
polynomials for every DNF, while Braverman [13] proved the full LN Conjecture by constructing 
such polynomials for every AC circuital Given this history, proving Conjecture [28] would seem 
like the "obvious" approach to proving the GLN Conjecture. 

Below we prove one direction of the equivalence: that to prove the GLN Conjecture, it suffices 
to construct low- fat sandwiching polynomials for every AC circuit. The other direction — that 
the GLN Conjecture implies Conjecture [28] and hence, there is no loss of generality in working 
with polynomials instead of probability distributions — follows from a linear programming duality 
calculation that we omit. 

Theorem 29 The Low-Fat Sandwich Conjecture implies the GLN Conjecture. 

Proof. Given an AC function /, let pe,p u be the low-fat sandwiching polynomials of degree k that 
are guaranteed by Conjecture [28] Also, let T> be an e-almost A:-wise independent distribution over 
{0, l} n , for some e = l/n n(1) . Then 

Pr [/(a)] - Pr [f (x)] < E[ Pu ] - E[ Pi ] 



< 



£/fcE[C]-E[p 

c 

Z^^ci g^ 

c 



c 

n o(l) 



E\p u - Pi ]+eJ2 2 | C | 
c 



o(l) + 



Likewise, 



n n(i) 
o(l). 



Pr \f(x)]- Pr [f(x)]<E\p u ]-E\p e ] 

xr-4A x~T> LA T> 

= E\p u }-^a c E[C] 
u c v 



< g [P»] ~ 2^ 2 \c\ 
c 

= V\Pu-Pe}+sJ2lM 

c 

= o(l). 



12 Strictly speaking, Braverman constructed approximating polynomials with slightly different (though still suffi- 
cient) properties. We know from Bazzi [7] that it must be possible to get sandwiching polynomials as well. 
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7 Discussion 



We now take a step back, and use our results to address some conceptual questions about the 
relativized BQP versus PH question, the GLN Conjecture, and what makes them so difficult. 

The first question is an obvious one. Complexity theorists have known for decades how to 
prove constant-depth circuit lower bounds, and how to use those lower bounds to give oracles A 
relative to which (for example) PP" 4 <£_ PH" 4 and ©P" 4 <f- PH" 4 . So why should it be so much harder 
to give an A relative to which BQP" 4 <f_ PH" 4 ? What makes this AC lower bound different from 
other AC lower bounds? 

The answer seems to be that, while we have powerful techniques for proving that a function 
/ is not in AC , all of those techniques, in one way or another, involve arguing that f is not 
approximated by a low-degree polynomial. The Razborov-Smolensky technique |29[ [35] argues this 
explicitly, while even the random restriction technique [16, 39j [36] argues it "implicitly," as shown 
by Linial, Mansour, and Nisan [27] . And this is a problem, if / is also computed by an efficient 
quantum algorithm. For Beals et al. [8] proved the following in 1998: 

Lemma 30 (|8j) Suppose a quantum algorithm Q makes T queries to a Boolean input X € 
{0,1}^. Then Q's acceptance probability is a real multilinear polynomial p(X), of degree at 
most IT . 

In other words, if a function / is in BQP, then for that very reason, / has a low-degree approx- 
imating polynomial! As an example, we already saw that the following polynomial p, of degree 4, 
successfully distinguishes the forrelated distribution T from the uniform distribution U : 



p(f,g)--=^i £ f W (~ir v g (y)) - (2) 

\x,ye{0,l} n j 



Therefore, we cannot hope to prove a lower bound for Fourier Checking, by any argument that 
would also imply that such a p cannot exist. 
This brings us to a second question. If 

(i) every known technique for proving f ^ AC involves showing that / is not approximated by 
a low-degree polynomial, but 

(ii) every function / with low quantum query complexity is approximated by a low-degree poly- 
nomial, 

does that mean there is no hope of solving the relativized BQP versus PH problem using polynomial- 
based techniques? 

We believe the answer is no. The essential point here is that an AC function can be approxi- 
mated by different kinds of low-degree polynomials. For example, Linial, Mansour, and Nisan [27] 
showed that, if / : {0, 1}" — > {0, 1} is in AC , then there exists a real polynomial p : K n — > 1R, of 
degree polylogn, such that 



E 

rrG{0,l} n L 



(p(x)-f(x)) 2 =o(l). 
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By comparison, Razborov [29] and Smolensky [35] showed that if / S AC , then there exists a 
polynomial p : F n — ► F over any field F (finite or infinite), of degree polylog N, such that 

Pr [p( x )^f(x)]=o(l). 

Furthermore, to show that / ^ AC , it suffices to show that / is not approximated by a low- 
degree polynomial in any one of these senses. For example, even though the Parity function 
has degree 1 over the finite field F2, Razborov and Smolensky showed that over other fields (such 
as F3), any degree-o {y/n) polynomial disagrees with Parity on a large fraction of inputs — and 
that is enough to imply that Parity^ AC . In other words, we simply need to find a type 
of polynomial approximation that works for AC circuits, but does not work for the Fourier 
Checking problem. If true, Conjecture [28] (the Low- Fat Sandwich Conjecture) provides exactly 
such a type of approximation. 

But this raises another question: what is the significance of the "low-fat" requirement in Con- 
jecture [28]? Why, of all things, do we want our approximating polynomial p to be expressible as a 
linear combination of terms, p(x) = ^j C olqC (x), such that Ylc 

\a c \ 2 -|c| = n°W? 

The answer takes us to the heart of what an oracle separation between BQP and PH would 
have to accomplish. Notice that, although the polynomial p from equation ([2]) solved the Fourier 
Checking problem, it did so only by cancelling massive numbers of positive and negative terms, 
then representing the answer by the tiny residue left over. Not coincidentally, this sort of cancella- 
tion is a central feature of quantum algorithms. By contrast, Theorem 1291 essentially says that, if 
a polynomial p does not involve such massive cancellations, but is instead more "conservative" and 
"reasonable" (like the polynomials that arise from classical decision trees), then p cannot distin- 
guish almost fe-wise independent distributions from the uniform distribution, and therefore cannot 
solve Fourier Checking. If Conjecture 1281 holds, then every small-depth circuit can be approx- 
imated, not just by any low-degree polynomial, but by a "conservative," "reasonable" low-degree 
polynomial — one with a bound on the coefficients that prevents massive cancellations. This would 
prove that Fourier Checking has no small constant-depth circuits, and hence that there exists 
an oracle separating BQP from PH. 

This brings us to the fourth and final question: how might one prove Conjecture 1281 ? In 
particular, is it possible that some trivial modification of Braverman's proof [13] would give low-fat 
sandwiching polynomials, thereby establishing the GLN Conjecture? 

While we cannot rule this out, we believe that the answer is no. For examining Braverman's 
proof, we find that it combines two kinds of polynomial approximations of AC circuits: that of 
Linial-Mansour-Nisan [27] , and that of Razborov [29J and Smolensky [35J . Unfortunately, neither 
LMN nor Razborov- Smolensky gives anything like the control over the approximating polynomial's 
coefficients that Conjecture demands. LMN simply takes the Fourier transform of an AC 
function and deletes the high-order coefficients; while Razborov-Smolensky approximates each OR 
gate by a product of randomly-chosen linear functions. Both techniques produce approximating 
polynomials with a huge number of monomials, and no reasonable bound on their coefficients. 
While it is conceivable that those polynomials satisfy the low-fat condition anyway — because of 
some non-obvious representation as a linear combination of terms — certainly neither LMN nor 
Razborov-Smolensky gives any idea what that representation would look like. Thus, we suspect 
that, to get the desired control over the coefficients, one will need more "constructive" proofs of 
both the LMN and Razborov-Smolensky theorems. Such proofs would likely be of great interest 
to circuit complexity and computational learning theory for independent reasons. 
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8 Open Problems 



First, of course, prove the GLN Conjecture, or prove the existence of an oracle A relative to which 
BQP A <£ PH A by some other means. A natural first step would be to prove the GLN Conjecture 
for the special case of DNFs: as shown in Theorem [26"1 this would imply an oracle A relative to 
which BQP A (£ kU A . We have offered a $200 prize for the PH case and a $100 prize for the AM 
case 1^1 

Second, it would be of interest to prove the GLN Conjecture for classes of functions weaker than 
(or incomparable with) DNFs: for example, monotone DNFs, read-once formulas, and read-fc-times 
formulas. 

Third, can we give an example of a Boolean function / : {0,1}™ — ► { — 1,1} that is well- 
approximated by a low-degree polynomial, but not by a low-degree low-fat polynomial? Here is a 
more concrete version of the challenge: let 



■pll := E 

xe{o,i}" 



(f(x) -p(x)Y 



Then find a Boolean function / for which 

(i) there exists a degree-n^ 1 - 1 polynomial p : M n — * M such that \\f — p\\ = o(l), but 

(ii) there does not exist a degree-ra ^ 1 ) polynomial q : M n — > R such that ||/ — q\\ = o (1) and q can 
be written as a linear combination of terms, q (x) = otcC (x), with \a c \ 2-\°\ = n°^\ 

Fourth, can we give an oracle relative to which BQP <f_ IP? What about an oracle relative to 
which BQP 7^ IPbqPj where IPbqp is the class of problems that admit an interactive protocol with 
a BPP verifier and a BQP prover'j^l 

Fifth, what other implications does the GLN Conjecture have? If we assume it, can we address 
other longstanding open questions in quantum complexity theory, such as those discussed in Section 
II. IP For example, can we give an oracle relative to which NP C BQP but PH <f_ BQP, or an oracle 
relative to which NP C BQP and PH is infinite? 

Sixth, how much can we say about the BQP versus PH question in the unrelativized world? As 
one concrete challenge, can we find a nontrivial way to "realize" the Fourier Checking oracle 
(in other words, an explicit computational problem that is solvable using Fourier Checking)? 

Seventh, how far can the gap between the success probabilities of FBQP and FBPP PH algorithms 
be improved? Theorem 1 151 gave a relation for which a quantum algorithm succeeds with probability 
1 — c~ n , whereas any FBPP PH algorithm succeeds with probability at most 0.99. By changing the 
success criterion for Fourier Fishing — basically, by requiring the classical algorithm to output 
such that fi(zi) (z n ) are distributed "almost exactly as they would be in the 

quantum algorithm" — one can improve the 0.99 to 1/2 +e for any e > 0. However, improving the 
constant further might require a direct product theorem for AC circuits solving FOURIER FISHING. 



See http://scottaaronson.com/blog/?p=381 



If we let the verifier transmit unentangled qubits to the prover, then the resulting class IPbqp actually equals 
BQP, as recently shown by Broadbent, Fitzsimons, and Kashefi [14] (see also Aharonov, Ben-Or, and Eban [4]). It 
is not known whether this IP B q P = BQP result relativizes; we conjecture that it does not. 
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